Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

pinkpanther56 (TechnicalUser)
1 Feb 08 6:34
I notice that even on a fresh install of XP SP2 that the creator owner group have full permissions, everyone are limited to read and execute. After discovering a few folders that seem to of been created by either spyware or rogue apps i'd like to remove this.

1. Who here removes the creator owner group from the root of the C: drive?

2. What problems is this likely to cause?

3. How can i go about removing this access on clients that are already on the network?

Thanks for any input.
wolluf (TechnicalUser)
1 Feb 08 13:04

Quote:

I notice that even on a fresh install of XP SP2 that the creator owner group have full permissions, everyone are limited to read and execute.

Is this true? - that is you don't mention that system and administrators also have full permissions (generally the creator is also administrator).

If you don't use internet from Administrator level accounts, you greatly reduce the chance of what you have had happening.

1. I don't remove creator/owner - can't see the point.
2. Don't know as don't do it, but can't see problems as system and administrators will still have full permissions.
3. What does being already on the network have to do with changing permissions? Or are you asking how to change lots of machines remotely?

As I mentioned earlier, best approach afaik is to use limited accounts for internet access.
Helpful Member!  linney (TechnicalUser)
1 Feb 08 15:34
"You might see an account with the name "Owner" when you first log on. The owner account, with computer administrator privileges, is created during installation if no user accounts are set up at that time. You can rename this account with a user's name".

In SP2 this is listed as "Creator Owner" with no boxes checked under the Permissions, except for "Special Permissions".  By checking for "Creator Owner" under Advanced/ Effective Permissions, you can see the Permissions for the Owner.  On this machine, there were no boxes checked in Effective Permissions, which means that it has no access whatsoever.

User listed under the Security Tab of C: -

Administrators
Creator Owner
Everyone
System
Users

How To Reset Security Settings Back to the Defaults
http://support.microsoft.com/default.aspx?scid=313222#1

How to apply the same Group Policy to many machines in a Workgroup environment.
FAQ779-5596: How to apply the same Group Policy to many machines in a Workgroup environment.

Script/Batch changing file permissions?
thread779-1300502: Script/Batch changing file permissions?
pinkpanther56 (TechnicalUser)
3 Feb 08 11:24
wolluf yes the admin and system permissions are listed as well.


Linney, these are domain machines and everyone logs on as a restricted user so they can't write data to program files or windows. I've noticed that even though they can't see the C: drive it is possible for them to create folders or file in the root of C:.

If they manage to do this then the user is listed as creator owner and has full permissions when you view the advanced NTFS permissions. I'd like to make it so users cannot create folders at all.
wolluf (TechnicalUser)
3 Feb 08 12:06
If the users don't belong to any groups defined to have security access to the C: drive, then they shouldn't be able to create anything in the root (are there other permissions there you haven't mentioned?). How is it possible for them to create files/folders - specially as they can't see C: (is it the users or a system process. If it is the users, is it intentional - ie, do you have clever users who are trying to circumvent security?). As I said earlier, can't see why removing create/owner cause problems - why not try it out on one machine and see if:-

1. It does/doesn't cause problems
2. It stops the creation of files/folders under C:.
linney (TechnicalUser)
3 Feb 08 14:08
See if this helps?

Preventing Students from Saving Games on the C: Drive
http://www.novell.com/communities/node/3173/preventing-students-saving-games-c-drive
pinkpanther56 (TechnicalUser)
3 Feb 08 14:13
Well i suspect it's an app that some users are running off the net like a java game that sometimes created the folders. I also suspect these students are trying to get around security and maybe installing apps in the directory e.g. firefox portable.

If i logon to a standard XP SP2 box as a restricted user i can create a folder in the root of C: have you tried this?

The permissions on C are:

Administrators: FULL
CRATOR OWNER: Special permissions (if i create a folder as a student their username shows as the OWNER and they have FULL special permissions.
Everyone: READ
SYSTEM: FULL
Users: READ


Thanks.
linney (TechnicalUser)
3 Feb 08 14:45
Yes, by default, a limited user is able to create a folder in the root of a drive, and then as he is the owner of the folder he can then create files in that owned folder.  A limited user is not able to create files in the root of a drive.  This seems to hold for both XP and Vista.

By fine tuning the permissions, see the earlier link, you can prevent the creation of folders too.
pinkpanther56 (TechnicalUser)
3 Feb 08 15:28
Right cheers i'll take a look at that.

Do you know if it's possible to set permissions as a station builds off our RIS server, unattend.txt option maybe or will i have to script this once windows is installed?

Thanks.
pinkpanther56 (TechnicalUser)
4 Feb 08 5:33
Ok that worked so now i only see Admins, System and users on the root of C:.

I had a look at the windows folder and noticed that Creator owner also has FULL special permissions there but they 'cant' create folders in there.

Any chance you can put my mind at rest and explain that i'm feeling a bit confused?

Thanks.
linney (TechnicalUser)
4 Feb 08 14:09
Not really, now you see why I am happy to plod along with Default Settings, life is so much simpler.

Is it Inheriting anything from the C: drive permissions?  Conversely is in NOT Inheriting the permissions you set for C:?  Have a look at Inheritance, and I don't mean what your rich relative may have left you in their will.

"How Inheritance Affects File and Folder Permissions"
http://technet2.microsoft.com/windowsserver/en/library/85d88bb0-1277-48da-b321-be7c5dd317091033.mspx?mfr=true

Set permissions for folders and files
http://www.microsoft.com/windowsxp/using/networking/security/permissions.mspx#top

Have a look at this tool, it may come in handy?

SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
pinkpanther56 (TechnicalUser)
7 Feb 08 15:58
Ok i think i've worked it out. Windows and Program Files are not to set to inherit permissions so changing the C: drive root permissions doesn't affect them.

The difference is in the advanced permissions area, you can select a number of options from the 'Applies to' drop down box when editing the advanced permissions. In these areas the drop down is set to 'Subfolders and files only' not 'This folder, sub folders and files' so the creator owner 'write' permissions never apply to the current folder.

Bit odd but that seems to be it.

Thanks for your help along the way.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close